You can map directory users to roles and profiles other than those they inherit from the database users to which they are mapped.
If auto provisioning is configured on the system, users assigned to a role or profile are automatically provisioned with an individual database account.
Consider the following conditions and limitations when mapping directory users to roles and profiles:
- You cannot map directory users to standard database roles. Instead, you must create external roles, using the CREATE EXTERNAL ROLE statement, and then map the directory users to directory role objects named for the external roles.
- Mappings to directory profile and role objects take precedence over those inherited from a mapped database user.
- Directory users must use the SET ROLE statement (within a session) to enable the roles inherited from the permanent users to which they are mapped if they are also mapped to other roles.
- Although there is no limit to the number of external roles you can map to a directory group object, the database recognizes a maximum of 50 roles. If the number of external roles mapped to a group exceeds 50, database logons by members of the group fail.
For information on creating external roles, see Using Roles for Directory Users.
For information profiles, see the topics beginning with Working with Database Profiles.